	Devious snippets Collection of different approaches	Javascript
28 February 1998	by Jack of Shadows
	Courtesy of Fravia's page of reverse engineering
fra_00xx 98xxxx handle 1100 NA PC	This dictionary attack technique seem to work all too well for my taste... I remembered only ONE occurrence of "Mozilla" on my site, about the book of Mozilla, in tamimons.htm... but I checked: there are 28 (twenty-eight!) references... This sommer's page will be MUCH more difficult to access, I tell you!
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

Collection of various approaches on password cracking.

Devious snippets
Collection of different approaches
Written by Jack of Shadows
shadowjack(at)inorbit(dot)com

Introduction

I have exploited many approaches when trying to access Java Devious page. Here is a short overview.

Tools required

Browser with Javascript
Turbo Pascal for small helper programs

Target's URL/FTP

Java Devious page

Essay

1. Reversing the algorithm

It is very clear that Dolgov's algorithm is completely unreversable. If you don't believe that, calculate F1("aaaa") and F1("baaa") (those strings are converted into consecutive integers in the middle of function F1). Resulting numbers are completely different. Dolgov's functions are therefore extremely usable for string hashing (like in this example).

2. Brute force attack

Most of my attack programs were written in Javascript. My first approach, brute force attack, is no exception. The program is very simple:


var base = new Array("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");



id = ""

for (c1 = 0; c1 <= 25; c1++) {

  status = base[c1]; // yes, we're still alive

  for (c2 = 0; c2 <= 25; c2++) {

    for (c3 = 0; c3 <= 25; c3++) {

      for (c4 = 0; c4 <= 25; c4++) {

        for (c5 = 0; c5 <= 25; c5++) {

          word = base[c1]+base[c2]+base[c3]+base[c4]+base[c5];

          hash = F1(word);

          if(hash == 191979145621879) id = id + "4:" + word + " ";

          hash = F2(word);

          if(hash == 251426266017281) pwd = pwd + "4:" + word + " ";

          if(hash == 492060879591955) pwd = pwd + "6:" + word + " ";

        }

      }

    }

  }

}

if (id != "") alert("id: "+id);

return;

This type of attack is not practical for longer passwords at least with Javascript code. On my not-so-slow machine the program was running for about 5 hours. If I would extend it to six-letter passwords it would run 26 times longer, approximately 5.5 days.

On the second night I run a simple variation of the program. Only one line was different: word = "jav"+base[c1]+base[c2]+base[c3]+base[c4]+base[c5]; Logic: since we want to crack a java-related password it maybe starts in "jav" or "java". No luck.

3. Brute force attack on web

With my web page grabber I tried all permutations of numbers 123456 (example: 213456.htm, 563241.htm etc). 720 combinations, about 10 minutes. No luck.

Brute force attack with dates (from today backward of course) would have found correct page in less then an hour but I haven't tried it. Shame on me.

4. Experimenting with different web page names (numbers)

I was almost sure that correct page name (number) is a date (as you can see I was correct). I have tried some dates and other numbers (42, 666). No luck.

5. Experimenting with different passwords

The following simple program helped me trying different passwords:


do {

  word = prompt("Enter word: ","");

  if (word != "") {

    id = "";

    pwd = "";

    hash = F1(word);

    if(hash == 191979145621879) id = id + "4:" + word + " ";

    hash = F2(word);

    if(hash == 251426266017281) pwd = pwd + "4:" + word + " ";

    if(hash == 492060879591955) pwd = pwd + "6:" + word + " ";

    if (id != "") alert("id:"+id);

    if (pwd != "") alert("pwd:"+pwd);

  }

} while(word != "");

return;

No luck.

6. Dictionary attack

After some searching I have found a very interesting place with commonly used words lists in many languages. I tried the English version, of course.

A quick and dirty TurboPas program converted the list (I tested in multiple passes - first words with 6 characters, then 7 etc) into Javascript Array constructor which I have included into test program:


var words = new Array ("a", "aa", "aaa", "aaaa"); // just an example



id = ""

pwd = ""

for(i = 0; i < words.length; i++) {

  if ((i % 1000) == 0) status = i+": "+words[i]+" ("+id+","+pwd+")"

  hash = F1(words[i]);

  if(hash == 191979145621879) id = id + "4:" + words[i] + " ";

  hash = F2(words[i]);

  if(hash == 492060879591955) pwd = pwd + "6:" + words[i] + " ";

}

prompt("id",id);

prompt("pwd",pwd);

return;

At last I have found one password - "targeted".

7. Permutations

Then I wrote a little program to generate all permutations of usernames/passwords I already knew. Run them through checking program from last example. No luck.

8. Targeted dictionary attack

Then I thought a little about future sources for possible words. Suddenly it dawned to me - The correct source is right before your nose - on Fravia.org! So I downloaded entire site (sorry Fravia, you asked for it;) with WebZIP, wrote a little preprocessor to extract all words from html and created a Array constructor like in example 6.

Finally I have found the last missing piece - "mozilla".

Final Notes
As it can be clearly seen, my solution is no better then Papazovs (actually, it is the same). Nevertheless I hope that my collection of various tricks will be of some help to fellow hackers.

Still, one thing bothers me. What the hell happened on 16 May 1993... Fravia, will you enlighten me?

As far as I remember, on 16 May 1993 didn't happen absolutely anything particular... (Fravia)

You are deep inside Fravia's page of reverse engineering, choose your way out:

Back to javascript main entrance

homepage

links

search_forms

+ORC

students' essays

academy database

reality cracking

how to search

javascript wars

tools

anonymity academy

cocktails

antismut CGI-scripts

mail_Fravia

Is reverse engineering legal?